Re: 3 Proposals: session ID, business-card auth, customer auth

James Gosling (jag@scndprsn.eng.sun.com)
Tue, 18 Jul 1995 13:40:51 +0800

> Hmmm... care to give some details about these "ideas coming down
> the pipe?" Here are my thoughts, after having surveyed this space
> for a while:
>
>
> ******* I. The Request-ID: header field:
> ******* II. The business-card authentication scheme

The problem I have with many schemes like this (leaving the ethical
questions alone for now!) is that they don't work in the face of proxy
caching. Either the cache uses the fields as part of the "cache key",
dramatically reducing the hit rate, or it doesn't, defeating the
purpose of the extension: to get access information back to the
provider.

High proxy cache hit rates are *essential* for the web to scale. The
architecture has to avoid white-hot servers handling millions of
clients directly. Load has to be shifted to local proxies, which under
current caching schemes makes the user information very murky. One
solution to have a header field in the reply that contains
something like this:

aggregate-demographics: email-addr

Which if recieved by a proxy server would cause it to accumulate some
standard set of useful-but-not-invasive statistics (if such exist!)
about uses of the page and mail them to the email address on a
periodic basis.